For a dynamic environment, the available policy servers change dynamically.
The web agent supports dynamic policy server cluster with enableDynamicHCO="YES" setting in SmHost.conf file.
But we still need to update the HCO with correct policy servers.
The sample script in this article demonstrates how to use adminUI restAPI to dynamically update the policy server cluster.
[Prerequisite]
SiteMinder administrator must find a way to output the currently available list of Policy Server IPs into the hosts.txt file which this sample script will be using as input for new Policy Server list.
AdminUI is required for the RestAPI to work.
[Disclaimer]
The provided script is just an example.
Comments and ideas are welcomed.
If further assistance is needed, please open a support ticket.
HCO-Update-Cluster.sh
#!/bin/bash
#
# Sample script to use adminUI restAPI to dynamically update the hosts in a cluster (from a hosts list file) of a HCO
#
#set -x
# Configure following variables before run the script
# ====================================
#API_ENDPOINT includes the hco name
#cluster idex -- starts from 0, 0 means first cluster
API_ENDPOINT="https://<adminUI host>:<port>/ca/api/sso/services/policy/v1/SmHostConfigs/<HCO name>"
API_LOGIN_ENDPOINT="https://<adminUI host>:<port>/ca/api/sso/services/login/v1/token"
API_LOGIN_CREDENTIAL="<legacy admin user>:<password>"
CLUSTER_INDEX=0
# ====================================
JSON_FILE="./spshco.json"
NEW_JSON_FILE="./spshconew.json"
#in MY_HOSTS_FILE, IPs or hostnames need to be the first column
MY_HOSTS_FILE="./hosts.txt"
BAK_JSON_FILE="./spshco_$(date +%Y%m%d_%H%M%S).json"
# Get session token from API
get_session_token() {
local session_response
session_response=$(curl -k -s -L -X POST \
"${API_LOGIN_ENDPOINT}" \
-u "$API_LOGIN_CREDENTIAL")
if [[ "$session_response" == *"session"* ]]; then
echo "$session_response" | jq -r .sessionkey
else
echo "Failed"
fi
}
# Get session token
SESSION_TOKEN=$(get_session_token)
if [ "$SESSION_TOKEN" = "Failed" ]; then
echo "Login failed."
exit
fi
#export current hco
curl -k -X 'GET' \
"$API_ENDPOINT" \
-H 'accept: application/json' \
-H 'Authorization: Bearer '"$SESSION_TOKEN" > "${JSON_FILE}" 2>/dev/null
#backup old json output
cp $JSON_FILE $BAK_JSON_FILE
#remove dos format eol and empty lines in host list file
sed 's/\r//g' $MY_HOSTS_FILE | sed '/^$/d' > temphosts.txt
HOST_COUNT=$(wc -l temphosts.txt| awk '{print $1}')
#get old host list in clusters[CLUSTER_INDEX]
OLD_HOST_LIST=$(jq '.data.Clusters['$CLUSTER_INDEX']' $JSON_FILE)
if [ $HOST_COUNT -gt 0 ]; then
#get new host list
MY_HOST_LIST="\"$HOST_COUNT;"$(awk '{printf "%s,44443;", $1}' temphosts.txt| sed 's/;$//')";0\""
# Check if the old host list is the same as the new host list
if [ "$MY_HOST_LIST" = "$OLD_HOST_LIST" ]; then
echo "No change on host list"
exit
fi
#update clusters[CLUSTER_INDEX] with new host list
jq '.data' $JSON_FILE > $NEW_JSON_FILE
jq '.Clusters['$CLUSTER_INDEX']='"$MY_HOST_LIST" $NEW_JSON_FILE > temp.json && mv temp.json $NEW_JSON_FILE
else
#the new host list is empty, check if the old host list is null too
if [ $OLD_HOST_LIST = null ]; then
echo "No change on host list"
exit
fi
#delete the clusters[CLUSTER_INDEX] if old host list is not empty
jq '.data' $JSON_FILE > $NEW_JSON_FILE
jq 'del(.Clusters['$CLUSTER_INDEX'])' $NEW_JSON_FILE > temp.json && mv temp.json $NEW_JSON_FILE
fi
#update hco
curl -k -X 'PUT' \
"$API_ENDPOINT" \
-H 'accept: application/json' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer '"$SESSION_TOKEN" \
-d @"$NEW_JSON_FILE"
API doc,
Connect a WSS Agent to a Dynamic Policy Server Cluster,